Sharing your birthday online and the risks it brings.

Categories Privacy

I am sure you are so happy when you see the wall of congratulations on your Meta, Twitter, or Linkedin feeds. It brings joy and sometimes false happiness that you have so many friends who care about you.

When you share your birthday publicly, it brings some risks for you, and you might become a victim of a phishing attack.

Let me walk you through a simple scenario on how those attacks are executed.

The motivation of the attacker

The attacker has bad intentions. Their motivation, in this case, is to make you click on a link that could do a few things:

  • To lead you to a page where you could enter even more information for you to help them execute more time-consuming attacks later such as identity theft or a social engineering attack.
  • To force you to download an executable file (masked as a birthday gift card) and to install it on your computer giving them access to your personal or corporate network.
  • To trick you to add your credit card information: Imagine a subject asking you to chip in for your friend’s birthday gift.

Why would that work?

Let’s be honest here: You are more likely to click on a message that says, “Happy Birthday, [your name], here is our gift for you” more than anything else. You feel special on that day and you think with the emotional part of your brain.

Attack vector

Let me go through one of the possible flow of events (attack vector) via Linkedin-type of service.

  • If your birthday information is protected by a login-first method, the attacker would see if there is a leaked email/password combination for you on this website and will log in with your account. The leaked data are still available for sale and many of the people are still using the same combination.
  • Then the attacker will see your friends list and will get their first and last name.
  • If your contact published their email it will get it from there. If not it would go to their company information and get the email patterns for the company from services like this one.
  • Then they need to construct the e-mail and to send it to you keeping in mind that you should not receive tons of emails at once.

This could be manually run or automated easily by using a web scraper and some basic python scripts to make it work in just a few hours.

If you look at the attacker motivation section above, you could construct even one that works even better. Pretend to be the person with the most connections among your friends and send an email to them a week before your birthday to buy you a present by submitting their credit card details on a special page. Of course, this page will be “credible”, because your picture, which you share publicly, will be shown there, together with some appropriate message to trigger your friend’s feelings.

You wouldn’t even understand that your friends chipped in before they asked you how do you like your new game console.


Those attack scenarios are just a few of the basic ones that cover some easy to explore patterns, supported by the publicly available data you have on your social media page.

#

An experiment

To support this with data, I created a small experiment, doing exactly what I described, manually to some of my peers. 40% of them clicked on the link I sent pretending to be someone else. Of course on the landing page, I told them this is a joke and I told them to be more careful next time. How many peers do you have on social media? Imagine 40% of them clicking because they want to make you happy for your birthday.

What can you do?

I know you are a smart person and you will find a way to protect yourself, by here are some advice from me to help you get started

  • You can help yourself stop sharing your birthday publicly. The friends that care about you will know when you were born and find a way to congratulate you. Every service you use allows you to delete or hide your birthday, which will limit the risk.
  • Check regularly in here if your account has been compromised and see what data ended up in the wrong hands and consider removing this from your profile.
  • Share the bare minimum details with those services. The more you share the bigger the risk for you.
  • Consider moving your account to a new type of privacy-respecting data storage.
  • Be careful about what messages you open and what links you click. Think before click.

Help your friends

Sharing is caring. If you like your friends and you see them sharing their birthday information everywhere, send them a link to this article to warn them about all the things that can happen by exposing this innocent, at first look, detail about their most precious day of the year.

Identity Theft with birthday information

As I said, some level of protection against phishing attacks is available for you by default from your vendor or ISP, but there is not much to do if you become a victim of Identity theft.

I recommend you to read this article to learn more in-depth about this threat.

The header image is published under Attribution-NonCommercial 2.0 Generic (CC BY-NC 2.0) license

Product Idea: Privacy First in (Food) Delivery

Categories Privacy, Prototyping
Privacy

Problem: 

How many times you received a food delivery and you see on the tax receipt written your name, address, and phone number?

How many packages did you get from a courier with the same data written with giant letters?

Data that could identify you is private, and we must protect it. At the same time, your delivery partner needs those details so they can fulfill your order. Are we in a Cacth 22 type of situation here? Not at all! 

Let’s see the flow of data in this complicated situation:

  1. You order food via your favorite app, and you give your name, address, and phone to them.
  2. They are just an aggregator, so they forward your details to the actual place to prepare the food.
  3. The restaurant uses a courier company (or a shared delivery engine) to deliver the order to you, and of course, they will share your details with them.

You can see your data flowing from system to system without your control or awareness. If you put it on top of that, they print out the tax receipt and hand it over to a 3rd party without your consent, and you could imagine all possible threats. 

You don’t have the visibility of who is doing what with your protected personal data. Any party of this chain believes that they need your details stored and printed out to “help you” get your food or item. And you even pay them to abuse you. Too harsh? Nope.

What is the solution, then?

Let me get this right. We all need service like that – where you can order stuff and get it at home. The goal here is – can we get a service that 1) believes your data is precious and it will use it only when needed; 2) with your permission, and 3) without storing it?

Imagine a situation like that..

The courier needs to deliver you some food. Before she is leaving the station, she would need to know where to go. Remember – they don’t have your data. Then she opens up an application and initiates a request to you to share the details. 

Privacy Application - Request

Then while sitting on the couch, receive an alert for the request.

Privacy Application - Responce

The courier is requesting the first name and the last name. You think they don’t need them for your food delivery. They could need your address and maybe your phone. So you select what you want to share and send it to them by selecting data from your data wallet, where you keep your details secured and encrypted.

Then the courier receives that, and the data will be available only until they deliver the food to you and then will expire and not be visible or stored anywhere. 

Data Wallet?

Here, the concept is that you, as a human you own your data. You keep them safe with you as you have your physical wallet. When someone needs a bit of information, you decide what to send and how long they can have it.

* In the text “Data Wallet” is a concept, not a name of an already existing product.

Privacy First

As I said before in this tiny article – the data we share with random parties must be protected. The best way to do that is to have the control at your disposal and not count on 3rd parties to do that for you. Most vendors are using the data you shared with them for the means you never agreed to. So why don’t we take the control back if the technology supports that?

Food for thought

  • If you recycle, how many times did you make your data unreadable before throwing the envelope in the bin?
  • If you look at the paper recycling bin that sits in front of your building, how many names, phones, and addresses you think you will find?

Privacy header image by Nick Youngson. Published under CC BY-SA 3.0

Involve your team members when you do your threat modeling.

Categories Privacy, Security

Most of the companies I worked for or know about have a bizarre threat modeling process. They count on the architect or the most knowledgeable person to do the threat modeling. It’s defined as a one-person job!

If your goal is to do it, because it’s one of the required artifacts for your service to go in production or any other stage, it may be the right approach. But this is no threat modeling; it’s a false sense of security. You call for harmful attempts against your system because you put all the eggs in one basket. 

It’s the exact opposite of the goal of a threat modeling session.

Involve your team members when you do your threat modeling.

Every person in your team has a unique perspective and a way of thinking about possible threats against any system. 

Every person has a different experience compared to the others. 

Every person has different emotions and morale. 

All of those qualities play a critical role in the threat modeling process.

Let me give you an example:

I started a fun and useful exercise, explaining the threat modeling goal by bringing people together in front of a virtual whiteboard and doing a threat modeling against a beer tap infrastructure. 

The challenge

We have a yard with a few doors to enter it. We also have the beer tap, a pressure system, key storage, and some power controls. We have two boundaries to protect.

The team members were encouraged to “go wild” and think just for 7 min about all possible threats they see against the infrastructure individually. 

Then I asked them to put virtual “sticky” notes near the components that could be threatened and discuss the findings as a team.

I did that with six groups from different geo-locations, and every time, I received different results. 90% of the threats were common, but 10% of them differed from group to group. This is how you make your modeling better.

To compare, I asked a few people to do this exercise alone for the same time, and the difference I saw was that the wisdom of the crowd identified with 40% more threats than a single individual. If this is not hard proof, which is it?

Involve your team members when you do your threat modeling. It’s the first step into your journey towards creating a bit more secure products.

No, Facebook, I don’t want my 5$ back, but I want something from you.

Categories Closed Technologies, Mashup, Privacy

Via different channels I got the same question :

Did you get your 5 dollars back?

It’s not a secret, that I got this question as well:

Did you really delete the data as requested? Can you sell it to me … /can you share it with me?/

Well the truth is, I don’t want my 5$ back, especially not from Facebook.

And yes, I deleted the data…but maybe, just maybe I’ve deleted the data the same way Facebook deletes users’ data when he/she wants to delete his/her account…

What do I want?

[box color=”red”]

I want Facebook to start removing entire user data after pressing “Delete my account”. Is this so much to ask. This is fair, isn’t it? Can we achieve that as a community?

[/box]

I just bought more than 1 million …Facebook data entries. OMG! /updated/

Categories Privacy

I have the bloody habit to look for cheap deals on some websites and today I’ve got the featured offer to buy more than 1 million Facebook entries containing Full Name, e-mail and Facebook profile URL.
I make a quick check over the data and surprise, surprise: most of them are real and I even know some of those users.

1 million Facebook accounts? WTF?

The description of the offer says:

The information in this list has been collected through our Facebook apps and consists only of active Facebook users, mostly from the US, Canada, UK and Europe. There are users from other countries as well but they are almost exclusively English speaking as well, as all the apps we provide are written in English and to use them properly one needs to read the instructions. The list is checked and validated once a month so you won’t get a list full of invalid or duplicate email addresses. Whether you are offering a Facebook, Twitter, social media related or otherwise a general product or service, this list has a great potential for you. Finally, the list is in a zipped excel format split into 12 sheets, each sheet containing roughly 100,000 email addresses with name, last name and facebook profile information separated with comma.

 

Do you still feel secure?

Oh yes, the deal price was 5$ – five u.s dollars.

Oh, this is not the end of the story. I ve’got a phone call from them.

(Update): No, Facebook, I don’t want my 5$ back, but I want something from (for) you.